NetBSD Problem Report #41070
From tls@panix.com Tue Mar 24 23:41:19 2009
Return-Path: <tls@panix.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 9A25063B8BA
for <gnats-bugs@gnats.NetBSD.org>; Tue, 24 Mar 2009 23:41:19 +0000 (UTC)
Message-Id: <20090324234118.431F52428B@panix5.panix.com>
Date: Tue, 24 Mar 2009 19:41:18 -0400 (EDT)
From: tls@NetBSD.ORG
To: gnats-bugs@gnats.NetBSD.org
Subject: bad adjustment of iov len in swcr_compdec can panic kernel
X-Send-Pr-Version: 3.95
>Number: 41070
>Category: kern
>Synopsis: bad adjustment of iov len in swcr_compdec can panic kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 24 23:45:01 +0000 2009
>Closed-Date: Wed Mar 25 03:20:52 +0000 2009
>Last-Modified: Sun May 03 17:30:09 +0000 2009
>Originator: Thor Lancelot Simon
>Release: NetBSD 5.0_RC2
>Organization:
>Environment:
System: NetBSD panix5.panix.com 5.0_RC2 NetBSD 5.0_RC2 (PANIX-XEN3U-USER-pae) #1: Sat Feb 21 20:24:11 EST 2009 root@juggler.panix.com:/misc1/obj/misc2/devel/netbsd/5.0-RC2/src/sys/arch/i386/compile/PANIX-XEN3U-USER-pae i386
Architecture: i386
Machine: i386
>Description:
In cryptosoft.c (the software backend for /dev/crypto), when
handling a request submitted in an iovec, the length field is
adjusted, analogously to the same operation for a request submitted
in an mbuf. When the requests were allocated with malloc, this was
mostly harmless. Now that they are allocated with kmem_alloc, it
can cause a kernel panic on request free (request completion).
This is an uncommon problem as few transforms can actually change
the result size, and the main one involved (deflate) is called in
the stock NetBSD kernel only from the IPcomp code, which submits
requests in mbufs. But it is still a bug, and is serious if one
encounters it.
>How-To-Repeat:
Submit a compression request in an iovec.
>Fix:
Don't change the length to be freed!
>Release-Note:
>Audit-Trail:
From: Darran Hunt <darran@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/41070 CVS commit: src/sys
Date: Wed, 25 Mar 2009 01:26:14 +0000
Module Name: src
Committed By: darran
Date: Wed Mar 25 01:26:13 UTC 2009
Modified Files:
src/sys/lib/libkern: Makefile.libkern libkern.h
src/sys/lib/libkern/arch/i386: Makefile.inc
src/sys/net: zlib.h
src/sys/opencrypto: crypto.c cryptodev.c cryptodev.h cryptosoft.c
cryptosoft.h cryptosoft_xform.c deflate.c deflate.h
files.opencrypto xform.c xform.h
Added Files:
src/sys/lib/libkern: crc32.c crc32.h
src/sys/opencrypto: ocryptodev.c ocryptodev.h
Log Message:
Fixes PR kern/41069 and PR kern/41070.
Extends the Opencrypto API to allow the destination buffer size to be
specified when its not the same size as the input buffer (i.e. for
operations like compress and decompress).
The crypto_op and crypt_n_op structures gain a u_int dst_len field.
The session_op structure gains a comp_alg field to specify a compression
algorithm.
Moved four ioctls to new ids; CIOCGSESSION, CIOCNGSESSION, CIOCCRYPT,
and CIOCNCRYPTM.
Added four backward compatible ioctls; OCIOCGSESSION, OCIOCNGSESSION,
OCIOCCRYPT, and OCIOCNCRYPTM.
Backward compatibility is maintained in ocryptodev.h and ocryptodev.c which
implement the original ioctls and set dst_len and comp_alg to 0.
Adds user-space access to compression features.
Adds software gzip support (CRYPTO_GZIP_COMP).
Adds the fast version of crc32 from zlib to libkern. This should be generally
useful and provide a place to start normalizing the various crc32 routines
in the kernel. The crc32 routine is used in this patch to support GZIP.
With input and support from tls@NetBSD.org.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/sys/lib/libkern/Makefile.libkern
cvs rdiff -u -r0 -r1.1 src/sys/lib/libkern/crc32.c \
src/sys/lib/libkern/crc32.h
cvs rdiff -u -r1.88 -r1.89 src/sys/lib/libkern/libkern.h
cvs rdiff -u -r1.27 -r1.28 src/sys/lib/libkern/arch/i386/Makefile.inc
cvs rdiff -u -r1.13 -r1.14 src/sys/net/zlib.h
cvs rdiff -u -r1.32 -r1.33 src/sys/opencrypto/crypto.c
cvs rdiff -u -r1.45 -r1.46 src/sys/opencrypto/cryptodev.c
cvs rdiff -u -r1.15 -r1.16 src/sys/opencrypto/cryptodev.h
cvs rdiff -u -r1.23 -r1.24 src/sys/opencrypto/cryptosoft.c
cvs rdiff -u -r1.5 -r1.6 src/sys/opencrypto/cryptosoft.h \
src/sys/opencrypto/deflate.h
cvs rdiff -u -r1.11 -r1.12 src/sys/opencrypto/cryptosoft_xform.c
cvs rdiff -u -r1.12 -r1.13 src/sys/opencrypto/deflate.c
cvs rdiff -u -r1.19 -r1.20 src/sys/opencrypto/files.opencrypto
cvs rdiff -u -r0 -r1.1 src/sys/opencrypto/ocryptodev.c \
src/sys/opencrypto/ocryptodev.h
cvs rdiff -u -r1.17 -r1.18 src/sys/opencrypto/xform.c
cvs rdiff -u -r1.9 -r1.10 src/sys/opencrypto/xform.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: tls@NetBSD.org
State-Changed-When: Wed, 25 Mar 2009 03:20:52 +0000
State-Changed-Why:
Darran fixed it.
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/41070 CVS commit: [netbsd-5] src/sys
Date: Sun, 3 May 2009 17:24:46 +0000
Module Name: src
Committed By: snj
Date: Sun May 3 17:24:46 UTC 2009
Modified Files:
src/sys/lib/libkern [netbsd-5]: Makefile libkern.h
src/sys/lib/libkern/arch/i386 [netbsd-5]: Makefile.inc
src/sys/net [netbsd-5]: zlib.h
src/sys/opencrypto [netbsd-5]: crypto.c cryptodev.c cryptodev.h
cryptosoft.c cryptosoft.h cryptosoft_xform.c deflate.c deflate.h
files.opencrypto xform.c xform.h
Added Files:
src/sys/lib/libkern [netbsd-5]: crc32.c crc32.h
src/sys/opencrypto [netbsd-5]: ocryptodev.c ocryptodev.h
Log Message:
Pull up following revision(s) (requested by tls in ticket #611):
sys/lib/libkern/Makefile: patch
sys/lib/libkern/crc32.c: revision 1.1
sys/lib/libkern/crc32.h: revision 1.1
sys/lib/libkern/libkern.h: revision 1.89
sys/lib/libkern/arch/i386/Makefile.inc: revision 1.28
sys/net/zlib.h: revision 1.14 via patch
sys/opencrypto/crypto.c: revision 1.33
sys/opencrypto/cryptodev.c: revision 1.46
sys/opencrypto/cryptodev.h: revision 1.16
sys/opencrypto/cryptosoft.c: revision 1.24
sys/opencrypto/cryptosoft.h: revision 1.6
sys/opencrypto/deflate.h: revision 1.6
sys/opencrypto/cryptosoft_xform.c: revision 1.12
sys/opencrypto/deflate.c: revision 1.13
sys/opencrypto/files.opencrypto: revision 1.20
sys/opencrypto/ocryptodev.c: revision 1.1
sys/opencrypto/ocryptodev.h: revision 1.1
sys/opencrypto/xform.c: revision 1.18
sys/opencrypto/xform.h: revision 1.10
Fixes PR kern/41069 and PR kern/41070.
Extends the Opencrypto API to allow the destination buffer size to be
specified when its not the same size as the input buffer (i.e. for
operations like compress and decompress).
The crypto_op and crypt_n_op structures gain a u_int dst_len field.
The session_op structure gains a comp_alg field to specify a compression
algorithm.
Moved four ioctls to new ids; CIOCGSESSION, CIOCNGSESSION, CIOCCRYPT,
and CIOCNCRYPTM.
Added four backward compatible ioctls; OCIOCGSESSION, OCIOCNGSESSION,
OCIOCCRYPT, and OCIOCNCRYPTM.
Backward compatibility is maintained in ocryptodev.h and ocryptodev.c which
implement the original ioctls and set dst_len and comp_alg to 0.
Adds user-space access to compression features.
Adds software gzip support (CRYPTO_GZIP_COMP).
Adds the fast version of crc32 from zlib to libkern. This should be generally
useful and provide a place to start normalizing the various crc32 routines
in the kernel. The crc32 routine is used in this patch to support GZIP.
With input and support from tls@NetBSD.org.
To generate a diff of this commit:
cvs rdiff -u -r1.89 -r1.89.6.1 src/sys/lib/libkern/Makefile
cvs rdiff -u -r0 -r1.4.4.2 src/sys/lib/libkern/crc32.c
cvs rdiff -u -r0 -r1.1.4.2 src/sys/lib/libkern/crc32.h
cvs rdiff -u -r1.82 -r1.82.4.1 src/sys/lib/libkern/libkern.h
cvs rdiff -u -r1.27 -r1.27.86.1 src/sys/lib/libkern/arch/i386/Makefile.inc
cvs rdiff -u -r1.12 -r1.12.84.1 src/sys/net/zlib.h
cvs rdiff -u -r1.29.4.1 -r1.29.4.2 src/sys/opencrypto/crypto.c
cvs rdiff -u -r1.44.8.2 -r1.44.8.3 src/sys/opencrypto/cryptodev.c
cvs rdiff -u -r1.14.10.1 -r1.14.10.2 src/sys/opencrypto/cryptodev.h
cvs rdiff -u -r1.20 -r1.20.20.1 src/sys/opencrypto/cryptosoft.c
cvs rdiff -u -r1.5 -r1.5.52.1 src/sys/opencrypto/cryptosoft.h
cvs rdiff -u -r1.8 -r1.8.20.1 src/sys/opencrypto/cryptosoft_xform.c
cvs rdiff -u -r1.11 -r1.11.10.1 src/sys/opencrypto/deflate.c
cvs rdiff -u -r1.5 -r1.5.10.1 src/sys/opencrypto/deflate.h
cvs rdiff -u -r1.19 -r1.19.20.1 src/sys/opencrypto/files.opencrypto
cvs rdiff -u -r0 -r1.2.4.2 src/sys/opencrypto/ocryptodev.c
cvs rdiff -u -r0 -r1.1.4.2 src/sys/opencrypto/ocryptodev.h
cvs rdiff -u -r1.17 -r1.17.14.1 src/sys/opencrypto/xform.c
cvs rdiff -u -r1.9 -r1.9.20.1 src/sys/opencrypto/xform.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home